System and Organization Controls (SOC)

SYSTEM AND ORGANIZATION CONTROLS (SOC)

In this highly competitive business world, companies are focusing on their core operations and maximizing efficiencies. This shift in focus has resulted in more functions being outsourced to third-party vendors, known as service organizations, who provide cost containment and other benefits. Increased outsourcing has highlighted the importance, and sometime the necessity, for System and Organization Controls (SOC) audits. SOC audit shows your company’s commitment to maintaining a solid control environment that protects your client’s data and confidential information.

SOC 1 Audits

System and Organization Controls (SOC 1; formerly SAS 70) is an internationally recognized third-party audit designed for service organizations, yielding these valuable benefits:

Independent assessment of controls

Confirmation that controls, procedures and processes are in place as management intends

Insightful consulting advice

Potential to grow market share

Reduction in third party self-assessment questionnaires

One audit report can satisfy multiple customers.

Instant credibility

Heightened third party perception

SOC 1 report is focused on internal controls over financial reporting. This option is suited to service organizations processing financial related data for their customers.

SOC 2 and SOC 3 Audits

SOC 2 and SOC 3 reports are focused on controls related to compliance or operations and address the Trust Services Principles (TSP): security, availability, processing integrity, confidentiality and privacy. This option is suited for service organizations providing data hosting, Software-as-a-Service (SaaS), cloud-based service entities, title and escrow companies, and the health care industry, to name a few. SOC audits can be Type 1 or Type 2, as follows:

Type 1 – provides limited assurance and is used to report on the design of controls as of a point in time.Type 2 – provides the highest level of assurance for SOC audits and reports on the service organizations design of controls and operating effectiveness over a period of time.

SOC Practice Leaders

Marc Davis, Partner

CPA, Practice Leader

Marc Davis, CPA, Practice Leader SOC Services, is one of the founding Partners of Davis Farr LLP. He has 30+ years of experience in government auditing, accounting, and consulting. He serves as the attest leader in the financial statement audits of federal agencies at Davis Farr, as well as leading the firm’s SOC Audit Group. Marc is co-author of Practice Aids for Reporting on Controls of Service Organizations – SOC 1 Engagements, and Practice Aids for Reporting on Controls of Service Organizations – SOC 2 Engagements, both published by Thomson Reuters. He has been a speaker at the Association of Government Accountants’ (AGA) annual conference on the usefulness of SOC audits in the government arena.

Diego Vanegas, Partner

CPA, CITP, CISA

Diego Vanegas, CPA, CITP, CISA, is a Partner at Davis Farr LLP. He has over 13 years of audit and compliance audit experience for government and nonprofit agencies. Diego has strong internal control audit experience through his extensive performance of SOC audits of government entities and commercial service providers. As a Certified Information Technology Professional (CITP) and a Certified Information Systems Auditor (CISA), his areas of IT expertise include General Controls, IT Application Controls and Business Processes. Diego is proficient in logical security, change management processes, fraud controls, Software Development Life Cycle (SDLC).

The SOC experts at Davis Farr can put your company in a position of strength. Our customized work programs are designed to fit your business model so you can develop realistic and sustainable best-practice methodologies.